Jump to Content
Bridegecrew
HomeDocumentationRecipesAPI ReferenceChangelog
PlatformResourcesSign inSign UpBridegecrew
PlatformResourcesSign inSign Up
HomeDocumentationRecipesAPI ReferenceChangelog

Welcome

  • What is Bridgecrew?
  • Prerequisites
  • Open Source

Get Started

  • Sign Up
  • Integrate with Code Repositories
    • Integrate with GitHub
    • Integrate with Bitbucket
    • Integrate with GitLab Self-Managed
    • Integrate with GitLab
    • Integrate with GitHub Server
    • Integrate with Bitbucket Server
    • Integrate with Azure Repos
  • Integrate with Cloud Providers
    • Integrate with AWS
    • Integrate with Google Cloud Platform
    • Integrate with Microsoft Azure
  • Integrate with CI/CD Systems
    • Terraform Cloud (Sentinel)
    • Terraform Cloud (Run Tasks)
    • Github Actions
    • Jenkins
    • CircleCI
    • AWS CodeBuild
    • Checkov
    • Bridgecrew CLI
    • GitHub Code Scanning
    • GitLab Runner
    • Azure Pipelines
    • Kubernetes Clusters
    • AWS CDK templates
    • Kubernetes Admission Controller
    • Terraform Enterprise (Sentinel)
    • Terraform Enterprise (Run Tasks)
  • Integrate with IDE
    • Visual Studio Code
    • Jetbrains
  • Integrate with Kubernetes

Code Analysis

  • Infrastructure-as-Code
  • Images
  • Open Source (SCA)
  • Secrets
  • Supply Chain
  • Code-to-Cloud
    • Drift Detection
    • Unmanaged Resource Detection
    • Unused Resource Detection

Advanced Setup

  • Plan & Track
    • Dashboard
    • Incidents
    • Projects
    • Development Pipelines
    • Resource Explorer
    • Enforcement
    • Compliance Reports
    • Code Repository Badges
  • Custom Policies
    • Definition Structure
    • Visual Editor
    • Code Editor
    • Examples (Code-Based)
  • Fix
    • IaC Resources
    • Runtime Resources
    • Suppress
    • Create Issue
  • Manage Tags
    • Traceability
    • Manage Tag Rules
  • Integrations
  • API Access
  • SBOM Generation

Organization Management

  • Notification Systems
    • Set Up Slack
    • Set Up Jira
    • Set Up Splunk
    • Weekly Email Messages
  • SSO Systems
    • OneLogin
    • Azure AD
    • ADFS On-Premises
    • Okta
  • User Management
  • Billing
    • What Happens If My Payment Failed?
    • How do I delete my account?

AWS Policies

  • AWS Policy Index
  • General Policies
    • Ensure QLDB ledger has deletion protection enabled
    • Ensure EC2 instances have tags
    • Ensure EBS volumes are attached to an instance
    • Ensure AWS EBS volumes are encrypted
    • Ensure AWS RDS DB cluster encryption is enabled
    • Ensure AWS CloudFront distribution is using secure SSL protocols for HTTPS communication
    • Ensure DynamoDB PITR is enabled
    • Ensure all data stored in the EBS snapshot is securely encrypted
    • Ensure ECR image scan on push is enabled
    • Ensure AWS ElastiCache Redis cluster with encryption for data at rest is enabled
    • Ensure AWS ElastiCache Redis cluster with in-transit encryption is enabled
    • Ensure data stored in the ElastiCache Replication Group is securely encrypted in-transit
    • Ensure Instances and Launch configurations use encrypted EBS volumes
    • Ensure all data stored in SageMaker is securely encrypted at rest
    • Ensure AWS SNS topic has SSE enabled
    • Ensure AWS SQS server side encryption is enabled
    • Ensure AWS EFS with encryption for data at rest is enabled
    • Ensure Neptune storage is securely encrypted
    • Ensure all unused Elastic IPs are deleted
    • Ensure unused network interfaces are deleted
    • Ensure unused Elastic Load Balancers are deleted
    • Ensure AWS Kinesis streams are encrypted using SSE
    • Ensure DAX is securely encrypted at rest
    • Ensure ECR image tags are immutable
    • Ensure AWS Redshift cluster is encrypted
    • Ensure AWS resources that support tags have Tags
    • Ensure CloudFront distribution has WAF enabled
    • Ensure DocumentDB is encrypted at rest
    • Ensure Athena Database is encrypted at rest
    • Ensure CodeBuild project encryption is not disabled (Artifacts)
    • Ensure Instance Metadata Service version 1 is not enabled
    • Ensure MSK cluster encryption at rest and in transit is enabled
    • Ensure Athena workgroup prevents disabling encryption
    • Ensure instances with scheduled reboots are rescheduled or manually rebooted
    • Ensure PGAudit is enabled on RDS Postgres instances
    • Ensure Glue Data Catalog encryption is enabled
    • Ensure all data stored in Aurora is securely encrypted at rest
    • Ensure EFS volumes in ECS task definitions have encryption in transit enabled
    • Ensure AWS SageMaker notebook instance is configured with data encryption at rest using KMS key
    • Ensure AWS Glue security configuration encryption is enabled
    • Ensure Neptune cluster instance is not publicly available
    • Ensure AWS Load Balancer is using TLS 1.2
    • Ensure API gateway caching is enabled
    • Ensure DynamoDB Tables have Auto Scaling enabled
    • Ensure Amazon ElastiCache Redis clusters have automatic backup turned on
    • Ensure RDS instances have backup policy
    • Ensure Amazon EFS has an AWS Backup backup plan
    • Ensure RDS clusters have an AWS Backup backup plan
    • Ensure EBS has an AWS Backup backup plan
    • Ensure KMS has a rotation policy
    • Ensure DynamoDB tables are encrypted
    • Ensure ECR repositories are encrypted
    • Ensure RDS global clusters are encrypted
    • Ensure Redshift cluster is encrypted by KMS
    • Ensure S3 buckets are encrypted with KMS by default
    • Ensure Secret Manager secret is encrypted using KMS
    • Ensure only encrypted EBS volumes are attached to EC2 instances
    • Ensure load balancer has deletion protection enabled
    • Ensure that AWS EMR clusters have Kerberos enabled
    • Ensure AWS Lambda function is configured for function-level concurrent execution limit
    • Ensure AWS Lambda function is configured for a DLQ
    • Ensure AWS Lambda function is configured inside a VPC
    • Ensure GuardDuty is enabled to specific org/region
    • Ensure Elastic Load Balancers use SSL certificates provided by AWS Certificate Manager
    • Ensure that EC2 is EBS optimized
    • Ensure RDS clusters and instances have deletion protection enabled
    • Ensure Redshift cluster allow version upgrade by default
    • Ensure S3 bucket has lock configuration enabled by default
    • Ensure S3 bucket has cross-region replication enabled
    • Ensure RDS instances have Multi-AZ enabled
    • Ensure Route 53 DNS service modifications are detected
    • Ensure provisioned resources are not manually modified
    • Ensure DocDB has audit logs enabled
    • Ensure Redshift uses SSL
    • Ensure Session Manager data is encrypted in transit
    • Ensure that RDS database cluster snapshot is encrypted
    • Ensure that CodeBuild projects are encrypted
    • Ensure that Secrets Manager secret is encrypted using KMS CMK
    • Ensure EBS default encryption is enabled
    • Autoscaling groups should supply tags to launch configurations
    • Ensure that Workspace user volumes are encrypted
    • Ensure that Workspace root volumes are encrypted
    • Ensure that CloudWatch Log Group is encrypted by KMS
    • Ensure that Athena Workgroup is encrypted
    • Ensure that Timestream database is encrypted with KMS CMK
    • Ensure Dynamodb point in time recovery is enabled for global tables
    • Ensure Backup Vault is encrypted at rest using KMS CMK
    • Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it
    • Ensure SQS queue policy is not public by only allowing specific services or principals to access it
    • Ensure SNS topic policy is not public by only allowing specific services or principals to access it
    • Ensure EMR Cluster security configuration encryption uses SSE-KMS
    • Ensure Route53 A Record has an attached resource
    • Ensure Postgres RDS has Query Logging enabled
    • Ensure QLDB ledger permissions mode is set to STANDARD
    • Ensure Kinesis Video Stream is encrypted by KMS using a customer managed Key (CMK)
    • Ensure fx ontap file system is encrypted by KMS using a customer managed Key (CMK)
    • Ensure FSX Windows filesystem is encrypted by KMS using a customer managed Key (CMK)
    • Ensure Image Builder component is encrypted by KMS using a customer managed Key (CMK)
    • Ensure S3 Object Copy is encrypted by KMS using a customer managed Key (CMK)
    • Ensure Doc DB is encrypted by KMS using a customer managed Key (CMK)
    • Ensure EBS Snapshot Copy is encrypted by KMS using a customer managed Key (CMK)
    • Ensure EFS file system is encrypted by KMS using a customer managed Key (CMK)
    • Ensure Kinesis Stream is encrypted by KMS using a customer managed Key (CMK)
    • Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK)
    • Ensure Sagemaker domain is encrypted by KMS using a customer managed Key (CMK)
    • Ensure lustre file systems is encrypted by KMS using a customer managed Key (CMK)
    • Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)
    • Ensure Elasticache replication group is encrypted by KMS using a customer managed Key (CMK)
    • Ensure RedShift Cluster is encrypted by KMS using a customer managed Key
    • Ensure Glue component has a security configuration associated
    • Ensure Glue component has a security configuration associated
    • Ensure Postgres RDS has Query Logging enabled
    • Ensure Session Manager logs are enabled and encrypted
    • Ensure MQ Broker minor version updates are enabled
    • Ensure AWS Codecommit is associated with an approval rule
    • Ensure AWS Kinesis Firehose Delivery Streams are encrypted with CMK
    • Ensure AWS FSX openzfs file system is encrypted by AWS' Key Management Service (KMS) using a Customer Managed Key (CMK)
    • Ensure AWS DLM cross-region events are encrypted with a Customer Managed Key (CMK)
    • Ensure AWS RDS uses a modern CaCert
    • Ensure AWS Cloudsearch uses HTTPS
    • Ensure AWS MQBroker version is up to date
    • Ensure AWS DB instance gets all minor upgrades automatically
    • Ensure AWS Key Management Service (KMS) key is enabled
    • Ensure AWS AMI copying uses a Customer Managed Key (CMK)
    • Ensure AWS DLM cross-region schedules are encrypted using a Customer Managed Key (CMK)
    • Ensure AWS Batch Job is not defined as a privileged container
    • Ensure AWS MemoryDB is encrypted at rest by AWS' Key Management Service KMS using CMKs
    • Ensure AWS Code Artifact Domain is encrypted by KMS using a Customer Managed Key (CMK)
    • Ensure AWS API Gateway caching is enabled
    • Ensure AWS Terraform does not send SSM secrets to untrusted domains over HTTP
    • Ensure AWS RDS PostgreSQL instances use a non-vulnerable version of log_fdw extension
    • Ensure AWS RedShift Cluster is encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)
    • Ensure AWS AuthType for your Lambda function URLs is defined
    • Ensure AWS Codecommit branch changes have at least 2 approvals
    • Ensure AWS CloudFront response header policy enforces Strict Transport Security
    • Ensure AWS Cloudsearch uses the latest (Transport Layer Security) TLS
    • Ensure AWS DLM-cross region schedules are encrypted
    • Ensure AWS Glue component is associated with a security configuration
    • Ensure AWS API Gateway Domain uses a modern security policy
    • Ensure AWS AppSync is protected by WAF
    • Ensure AWS Appsync API Cache is encrypted in transit
    • Ensure AWS DMS instance receives all minor updates automatically
    • Ensure AWS replicated backups are encrypted at rest by Key Management Service (KMS) using a Customer Managed Key (CMK)
    • Ensure AWS SSM Parameter is encrypted
    • Ensure AWS DAX cluster endpoint uses (Transport Layer Security) TLS
    • Ensure AWS API deployments enable Create before Destroy
    • Ensure AWS GuardDuty detector is enabled
    • Ensure AWS EBS Volume is encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)
    • Ensure AWS Cloudfront distribution is enabled
    • Ensure AWS Image Builder Distribution Configuration is encrypting AMI by Key Management Service (KMS) using a Customer Managed Key (CMK)
    • Ensure AWS RDS Cluster activity streams are encrypted by Key Management Service (KMS) using Customer Managed Keys (CMKs)
    • Ensure AWS Elasticsearch domain uses an updated TLS policy
    • Ensure AWS API GATEWAY enables Create before Destroy
    • Ensure AWS AMIs are encrypted by Key Management Service (KMS) using Customer Managed Keys (CMKs)
    • Ensure AWS Kinesis Firehose's delivery stream is encrypted
    • Ensure AWS all data stored in the Elasticsearch domain is encrypted using a Customer Managed Key (CMK)
    • Ensure AWS Appsync API Cache is encrypted at rest
    • Ensure AWS copied AMIs are encrypted
    • Ensure AWS cluster logging is encrypted using a Customer Managed Key (CMK)
    • Ensure AWS MQBroker is encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)
    • Ensure AWS CodePipeline artifactStore is not encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)
    • Ensure AWS DLM cross-region events are encrypted
    • Ensure AWS Image Recipe EBS Disk are encrypted using a Customer Managed Key (CMK)
    • Ensure AWS API Gateway method settings enable caching
    • Ensure AWS MemoryDB data is encrypted in transit
    • Ensure AWS AMI launch permissions are limited
    • Ensure AWS AppSync has field-level logs enabled
    • Ensure AWS MWAA environment has worker logs enabled
    • Ensure AWS MWAA environment has scheduler logs enabled
    • Ensure AWS AppSync's logging is enabled
    • Ensure AWS MWAA environment has webserver logs enabled
    • Ensure AWS ECS Cluster enables logging of ECS Exec
    • Ensure AWS CloudTrail logging is enabled
    • Ensure AWS ACM certificates has logging preference
    • Ensure AWS MQBroker audit logging is enabled
    • Ensure AWS CloudTrail defines an SNS Topic
    • Ensure AWS App Flow flow uses Customer Managed Keys (CMKs)
    • Ensure AWS App Flow connector profile uses Customer Managed Keys (CMKs)
    • Ensure AWS HTTP and HTTPS target groups define health check
    • Ensure AWS RDS DB snapshot uses Customer Managed Keys (CMKs)
    • Ensure AWS Keyspace Table uses Customer Managed Keys (CMKs)
    • Ensure AWS Kendra index server side encryption uses Customer Managed Keys (CMKs)
    • Ensure AWS Config recorder is enabled to record all supported resources
    • Ensure AWS Config must record all possible resources
    • Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability
    • Ensure AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature set to enabled
  • IAM Policies
    • Ensure using AWS Account root user is avoided
    • Ensure MFA is enabled for all IAM users with a console password
    • Ensure credentials unused for 90 days or greater are disabled
    • Ensure access keys are rotated every 90 days or less
    • Ensure AWS IAM password policy has an uppercase character
    • Ensure AWS IAM password policy has a lowercase character
    • Ensure AWS IAM password policy has a symbol
    • Ensure AWS IAM password policy has a number
    • Ensure AWS IAM password policy has a minimum of 14 characters
    • Ensure AWS IAM password policy does not allow password reuse
    • Ensure AWS IAM password policy expires in 90 days or less
    • Ensure no root account access key exists
    • Ensure MFA is enabled for root account
    • Ensure hardware MFA for root account is enabled
    • Ensure security questions are registered in the AWS account
    • Ensure IAM policies are only attached to Groups and Roles
    • Ensure detailed billing is enabled
    • Ensure AWS account contact details are up-to-date
    • Ensure security contact information is registered
    • Ensure IAM instance roles are used for AWS resource access from instances
    • Ensure an IAM role has been created to manage incidents with AWS Support
    • Ensure access keys are not created during initial user setup for IAM users with a console password
    • Ensure IAM policies that allow full administrative privileges are not created
    • Ensure access keys are rotated every 30 days or less
    • Ensure access keys are rotated every 45 days or less
    • Ensure active access keys are used every 90 days or less
    • Ensure IAM users that are inactive for 30 days or more are deactivated
    • Ensure unused IAM Users and Roles for 90 days are removed
    • Ensure user accounts unused for 90 days are removed
    • Ensure AWS roles with administrative privileges unused for 90 days are removed
    • Ensure user accounts with administrative privileges unused for 90 days are removed
    • Ensure empty IAM groups are removed
    • Ensure unattached policies are removed
    • Ensure unused policies are detached from users
    • Ensure unused policies are detached from roles
    • Ensure unused policies are detached from groups
    • Ensure IAM policy documents do not allow * (asterisk) as a statement's action
    • Ensure IAM role allows only specific services or principals to be assumed
    • Ensure AWS IAM policy does not allow assume role permission across all services
    • Ensure SQS policy documents do not allow * (asterisk) as a statement's action
    • Ensure AWS IAM policy does not allow full administrative privileges
    • Ensure IAM policy documents do not allow * (asterisk) as a statement's action
    • Ensure excessive permissions are not granted for IAM users
    • Ensure excessive permissions are not granted for IAM roles
    • Ensure excessive permissions are not granted for IAM groups
    • Ensure excessive permissions are not granted for IAM policy
    • Ensure credentials unused for 180 days or greater are disabled
    • Ensure IAM policies do not allow credentials exposure for ECR
    • Ensure IAM policies do not allow data exfiltration
    • Ensure IAM policies do not allow permissions management / resource exposure without constraint
    • Ensure IAM policies does not allow write access without constraint
    • Ensure Amazon RDS clusters and instances have AWS IAM authentication enabled
    • Ensure respective logs of Amazon RDS are enabled
    • Ensure IAM groups include at least one IAM user
    • Ensure all IAM users are members of at least one IAM group
    • Ensure IAM configuration modifications are detected
    • Ensure IAM policies does not allow privilege escalation
    • Ensure RDS database has IAM authentication enabled
    • Ensure RDS cluster has IAM authentication enabled
    • Ensure an IAM User does not have access to the console
    • Ensure KMS key policy does not contain wildcard (*) principal
    • Ensure the AWS Execution Role ARN and Task Role ARN are different in ECS Task definitions
    • Ensure an IAM role is attached to EC2 instance
    • Ensure S3 Bucket does not allow access to all Authenticated users
    • Ensure AWS Cloudfront Distribution with S3 have Origin Access set to enabled
  • Kubernetes Policies
    • Ensure AWS EKS cluster security group is not overly permissive to all traffic
    • Ensure AWS EKS cluster endpoint access is publicly disabled
    • Ensure AWS EKS cluster has secrets encryption enabled
    • Ensure AWS EKS control plane logging is enabled
    • Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0
    • Ensure Kubernetes secrets are encrypted using CMKs managed in AWS KMS
  • Logging Policies
    • Ensure AWS CloudTrail is enabled in all regions
    • Ensure AWS CloudTrail log validation is enabled in all regions
    • Ensure the S3 bucket used to store CloudTrail logs does not have public access
    • Ensure CloudTrail and CloudWatch logs are integrated
    • Ensure AWS config is enabled in all regions
    • Ensure CloudTrail S3 bucket access logging is enabled
    • Ensure AWS CloudTrail logs are encrypted using CMKs
    • Ensure AWS CMK rotation is enabled
    • Ensure AWS VPC Flow logs are enabled
    • Ensure Amazon MQ Broker logging is enabled
    • Ensure container insights are enabled on ECS cluster
    • Ensure AWS Redshift database has audit logging enabled
    • Ensure CloudWatch log groups specify retention days
    • Ensure CloudTrail logging in All Regions is enabled
    • Ensure API Gateway has X-Ray tracing enabled
    • Ensure Global Accelerator has Flow logs enabled
    • Ensure API Gateway has access logging enabled
    • Ensure Amazon MSK cluster logging is enabled
    • Ensure AWS DocumentDB logging is enabled
    • Ensure AWS CloudFront distribution has access logging enabled
    • Ensure CloudWatch logs are encrypted at rest using KMS CMKs
    • Ensure AWS ELB (Classic) with access log is enabled
    • Ensure the ELB has access logging enabled
    • Ensure Neptune logging is enabled
    • Ensure AWS CloudFormation stacks are sending event notifications to an SNS topic
    • Ensure detailed monitoring for EC2 instances is enabled
    • Ensure CloudTrail trail is integrated with CloudWatch Log
    • Ensure enhanced monitoring for Amazon RDS instances is enabled
    • Ensure API Gateway stage have logging level defined appropriately
    • Ensure API Gateway V2 has Access Logging enabled
    • Ensure Logging is enabled for WAF Web Access Control Lists
    • Ensure Postgres RDS as aws_db_instance has Query Logging enabled
    • Ensure WAF2 has a Logging Configuration
  • Networking Policies
    • Ensure AWS Security Group does not allow all traffic on SSH port 22
    • Ensure Security Groups do not allow ingress from 0.0.0.0/0 to port 3389
    • Ensure AWS Default Security Group restricts all traffic
    • Ensure VPC peering routing tables have least access
    • Ensure EC2 instances do not have security groups attached
    • Ensure AWS VPC endpoints are not exposed
    • Ensure Security Groups do not have unrestricted access
    • Ensure Security Groups accept traffic only from ports 80 and 443
    • Ensure EC2 instance does not have unrestricted security group attached
    • Ensure RDS database does not have unrestricted security group attached
    • Ensure network interface does not have unrestricted security group attached
    • Ensure classical load balancer does not have unrestricted security group attached
    • Ensure application load balancer does not have unrestricted security group attached
    • Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP port 9300 (Elasticsearch)
    • Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP port 5601 (Kibana)
    • Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP port 6379 (Redis)
    • Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP port 2379 (etcd)
    • Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP 27017 (MongoDB)
    • Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP 27018 (MongoDB)
    • Ensure Security Group attached to ELB instance does not allow inbound traffic from all to TCP 27017 (MongoDB)
    • Ensure Security Group attached to ELB instance does not allow inbound traffic from all to TCP 27018 (MongoDB)
    • Ensure Security Group attached to application load balancer instance does not allow inbound traffic from all to TCP 27017 (MongoDB)
    • Ensure Security Group attached to application load balancer instance does not allow inbound traffic from all to TCP 27018 (MongoDB)
    • Do not use default settings of a VPC
    • Ensure Internet-facing ELBs are whitelisted
    • Ensure ALB protocol is HTTPS
    • Ensure every Security Group rule has a description
    • Ensure CloudFront distribution ViewerProtocolPolicy is set to HTTPS
    • Ensure CloudFront distributions do not use deprecated SSL protocols
    • Ensure ELBs do not allow insecure SSL protocols or ciphers
    • Ensure EC2 instances behind load balancers are not publicly accessible
    • Ensure ELBs use SSL listeners
    • Ensure DocDB TLS is not disabled
    • Ensure AWS SageMaker notebook instance is configured with direct internet access feature
    • Ensure VPC endpoint service is configured for manual acceptance
    • Ensure Amazon EMR clusters' security groups are not open to the world
    • Ensure that ALB drops HTTP headers
    • Ensure that Elasticsearch is configured inside a VPC
    • Ensure ELB has cross-zone-load-balancing enabled
    • Ensure Amazon Redshift clusters are not publicly accessible
    • Ensure auto scaling groups associated with a load balancer use elastic load balancing health checks
    • Ensure AWS EC2 instance is configured with VPC
    • Ensure all EIP addresses allocated to a VPC are attached to EC2 instances
    • Ensure ALB redirects HTTP requests into HTTPS ones
    • Ensure all NACL are attached to subnets
    • Ensure Security Groups are attached to EC2 instances or ENIs
    • Ensure S3 Bucket has public access blocks
    • Security Group modifications detected
    • Ensure public facing ALB are protected by AWS Web Application Firewall v2 (AWS WAFv2)
    • Ensure public API gateway are protected by AWS Web Application Firewall v2 (AWS WAFv2)
    • Ensure VPC subnets do not assign public IP by default
    • Ensure no default VPC is planned to be provisioned
    • Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled
    • Ensure Redshift is not deployed outside of a VPC
    • Ensure Transfer Server is not exposed publicly
    • Ensure WAF prevents message lookup in Log4j2
    • Verify CloudFront Distribution Viewer Certificate is using TLS v1.2
    • Ensure CloudFront distribution has a strict security headers policy attached
    • Ensure WAF has associated rules
    • Ensure AWS security groups do not allow ingress from 0.0.0.0/0 to port 80
    • Ensure AWS Elasticache security groups are defined
    • Ensure AWS ACM certificate enables Create before Destroy
    • Ensure AWS Elasticsearch does not use the default security group
    • Ensure AWS NACL does not allow ingress from 0.0.0.0/0 to port 21
    • Ensure AWS NACL does not allow ingress from 0.0.0.0/0 to port 3389
    • Ensure AWS NACL does not allow ingress from 0.0.0.0/0 to port 22
    • Ensure AWS RDS security groups are defined
    • Ensure AWS ELB Policy uses only secure protocols
    • Ensure AWS NACL does not allow ingress from 0.0.0.0/0 to port 20
    • Ensure AWS NAT Gateways are utilized for the default route
    • Ensure AWS Security Group does not allow all traffic on all ports
    • Ensure AWS CloudFront distribution uses custom SSL certificate
    • Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic
    • Ensure AWS Database Migration Service endpoints have SSL configured
  • Public Policies
    • Ensure AWS ECR repository is not exposed to public
    • Ensure AWS RDS database instance is not publicly accessible
    • Ensure Elasticsearch domains are not publicly accessible
    • Ensure SQS queue policy is not publicly accessible
    • Ensure SNS topic policy is not publicly accessible
    • Ensure API gateway methods are not publicly accessible
    • Ensure EBS snapshots are not publicly accessible
    • Ensure EC2 AMIs are not publicly accessible
    • Ensure Amazon Redshift clusters are not publicly accessible
    • Ensure RDS instances are not publicly accessible
    • Ensure AWS MQ is not publicly accessible
    • Ensure AWS EC2 instances aren't automatically made public with a public IP
    • Ensure DMS replication instance is not publicly accessible
  • Elasticsearch Policies
    • Ensure AWS Elasticsearch domain encryption for data at rest is enabled
    • Ensure AWS Elasticsearch has node-to-node encryption enabled
    • Ensure AWS Elasticsearch domains have EnforceHTTPS enabled
    • Ensure AWS Elasticsearch domain logging is enabled
  • Monitoring Policies
    • Ensure a log metric filter and alarm exist for unauthorized API calls
    • Ensure a log metric filter and alarm exist for management console sign-in without MFA
    • Ensure a log metric filter and alarm exist for root account use
    • Ensure a log metric filter and alarm exist for IAM policy changes
    • Ensure a log metric filter and alarm exist for CloudTrail configuration changes
    • Ensure a log metric filter and alarm exist for AWS Management console authentication failures
    • Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
    • Ensure a log metric filter and alarm exist for S3 bucket policy changes
    • Ensure a log metric filter and alarm exist for AWS Config configuration changes
    • Ensure a log metric filter and alarm exist for Security Group changes
    • Ensure a log metric filter and alarm exist for changes to NACLs
    • Ensure a log metric filter and alarm exist for changes to network gateways
    • Ensure a log metric filter and alarm exist for route table changes
    • Ensure a log metric filter and alarm exist for VPC changes
  • S3 Policies
    • Ensure bucket ACL does not grant READ permission to everyone
    • Ensure AWS S3 bucket is not publicly writable
    • Ensure bucket ACL does not grant READ_ACP permission to everyone
    • Ensure bucket ACL does not grant WRITE_ACP permission to everyone
    • Ensure bucket ACL does not grant FULL_CONTROL permission to everyone
    • Ensure bucket ACL does not grant READ permission to AWS users
    • Ensure bucket ACL does not grant WRITE permission to AWS users
    • Ensure bucket ACL does not grant READ_ACP permission to AWS users
    • Ensure bucket ACL does not grant WRITE_ACP permission to AWS users
    • Ensure bucket ACL does not grant FULL_CONTROL permission to AWS users
    • Ensure S3 bucket policy does not grant Allow permission to everyone
    • Ensure AWS access logging is enabled on S3 buckets
    • Ensure data stored in the S3 bucket is securely encrypted at rest
    • Ensure data is transported from the S3 bucket securely
    • Ensure AWS S3 object versioning is enabled
    • Ensure bucket policy does not grant Write permissions to public
    • Ensure S3 bucket has block public ACLS enabled
    • Ensure S3 Bucket BlockPublicPolicy is set to True
    • Ensure S3 bucket IgnorePublicAcls is set to True
    • Ensure S3 bucket RestrictPublicBucket is set to True
    • Ensure S3 bucket does not allow an action with any Principal
    • Ensure S3 bucket MFA Delete is enabled
    • Ensure S3 bucket modifications can be detected
  • Secrets Policies
    • Ensure EC2 user data does not expose secrets
    • Ensure CloudFormation outputs do not expose secrets
    • Ensure Lambda function's environment variables do not expose secrets
    • Ensure ECS task definition variables do not expose secrets
    • Ensure AWS access keys and secrets are not hard coded in infrastructure
  • Serverless Policies
    • Serverless Lambda policy modifications detected
    • Ensure Lambda function does not have Admin privileges
    • Ensure Lambda function does not have cross account access
    • Lambda function should not have same IAM role for more than one Lambda function
    • Ensure AWS Lambda functions with tracing are enabled
    • Check encryption settings for Lambda environmental variable

Kubernetes Policies

  • Kubernetes Policy Index
    • Do not admit containers wishing to share host process ID namespace
    • Do not admit privileged containers
    • Do not admit containers wishing to share host IPC namespace
    • Do not admit containers wishing to share host network namespace
    • Do not admit root containers
    • Do not admit containers with NET_RAW capability
    • Ensure liveness probe is configured
    • Ensure readiness probe is configured
    • Ensure CPU request is set
    • Ensure CPU limits are set
    • Ensure memory requests are set
    • Ensure memory limits are set
    • Ensure image tag is set to Fixed - not Latest or Blank
    • Ensure image pull policy is set to Always
    • Ensure container is not privileged
    • Ensure containers do not share host process ID namespace
    • Ensure containers do not share host IPC namespace
    • Ensure containers do not share the host network namespace
    • Ensure containers do not run with AllowPrivilegeEscalation
    • Ensure default namespace is not used
    • Use Read-Only filesystem for containers where possible
    • Minimize admission of root containers
    • Ensure containers with added capability are not allowed
    • Ensure admission of containers with added capability is minimized
    • Do not specify hostPort unless absolutely necessary
    • Limit mounting Docker socket daemon in a container
    • Ensure admission of containers with NET_RAW capability is minimized
    • Ensure securityContext is applied to pods and containers
    • Ensure seccomp is set to Docker/Default or Runtime/Default
    • Ensure seccomp profile is set to Docker/Default or Runtime/Default
    • Ensure Kubernetes dashboard is not deployed
    • Ensure Tiller (Helm V2) is not deployed
    • Use secrets as files instead of environment variables
    • Ensure admission of containers with capabilities assigned is limited
    • Ensure service account tokens are mounted where necessary
    • Ensure CAP_SYS_ADMIN Linux capability is not used
    • Ensure containers run with a high UID to avoid host conflict
    • Ensure default service accounts are not actively used
    • Ensure images are selected using a digest
    • Ensure Tiller (Helm V2) deployment is not accessible from within the cluster
    • Ensure Tiller (Helm v2) service is deleted
    • Ensure containers do not run with AllowPrivilegeEscalation
    • Ensure securityContext is applied to pods and containers
    • Minimize the admission of containers with capabilities assigned
    • Ensure that default service accounts are not actively used by bounding to a role or cluster role
    • Ensure the --tls-cert-file and --tls-private-key-file arguments are set appropriately for API servers
    • Ensure Kubelet only uses strong cryptographic ciphers
    • Ensure the --etcd-cafile argument is set appropriately
    • Ensure encryption providers are appropriately configured
    • Ensure the API server makes use of strong cryptographic ciphers
    • Ensure the --terminated-pod-gc-threshold argument for controller managers is set appropriately
    • Ensure the --profiling argument for controller managers is set to False
    • Ensure the --use-service-account-credentials argument for controller managers is set to True
    • Ensure the --service-account-private-key-file argument for controller managers is set appropriately
    • Ensure the --root-ca-file argument for controller managers is set appropriately
    • Ensure the RotateKubeletServerCertificate argument for controller managers is set to True
    • Ensure the --bind-address argument for controller managers is set to 127.0.0.1
    • Ensure the --profiling argument is set to False
    • Ensure the --bind-address argument is set to 127.0.0.1
    • Ensure the --cert-file and --key-file arguments are set appropriately
    • Ensure the --client-cert-auth argument is set to True
    • Ensure the --auto-tls argument is not set to True
    • Ensure the --peer-cert-file and --peer-key-file arguments are set appropriately
    • Ensure the --peer-client-cert-auth argument is set to True
    • Ensure the --peer-auto-tls argument is not set to True
    • Ensure the --anonymous-auth argument is set to False
    • Ensure the --authorization-mode argument is not set to AlwaysAllow
    • Ensure the --client-ca-file argument for API Servers is set appropriately
    • Ensure the --read-only-port argument is set to 0
    • Ensure the --streaming-connection-idle-timeout argument is not set to 0
    • Ensure the --protect-kernel-defaults argument is set to True
    • Ensure the --make-iptables-util-chains argument is set to True
    • Ensure the --hostname-override argument is not set
    • Ensure the --event-qps argument is set to 0 or a level that ensures appropriate event capture
    • Ensure the --tls-cert-file and --tls-private-key-file arguments are set appropriately for Kubelet
    • Ensure the --rotate-certificates argument is not set to False
    • Ensure the RotateKubeletServerCertificate argument for kubelets is set to True
    • Ensure the --anonymous-auth argument is set to False
    • Ensure the --basic-auth-file argument is not Set
    • Ensure the --token-auth-file argument is not Set
    • Ensure the --kubelet-https argument is set to True
    • Ensure the --kubelet-client-certificate and --kubelet-client-key arguments are set appropriately
    • Ensure the --kubelet-certificate-authority argument is set appropriately
    • Ensure the --authorization-mode argument is not set to AlwaysAllow
    • Ensure the --authorization-mode argument includes node
    • Ensure the --authorization-mode argument includes RBAC
    • Ensure the admission control plugin EventRateLimit is set
    • Ensure the admission control plugin AlwaysAdmit is not set
    • Ensure the admission control plugin AlwaysPullImages is set
    • Ensure the admission control plugin SecurityContextDeny is sSet if PodSecurityPolicy is not used
    • Ensure the admission control plugin ServiceAccount is set
    • Ensure the admission control plugin NamespaceLifecycle is set
    • Ensure the admission control plugin PodSecurityPolicy is set
    • Ensure the admission control plugin NodeRestriction is set
    • Ensure the --insecure-bind-address argument is not set
    • Ensure the --insecure-port argument is set to 0
    • Ensure the --secure-port argument is not set to 0
    • Ensure the --profiling argument is set to False
    • Ensure the --audit-log-path argument is set
    • Ensure the --audit-log-maxage argument is set to 30 or as appropriate
    • Ensure the --audit-log-maxbackup argument is set to 10 or as appropriate
    • Ensure the --audit-log-maxsize argument is set to 100 or as appropriate
    • Ensure the --request-timeout argument is set appropriately
    • Ensure the --service-account-lookup argument is set to True
    • Ensure the --service-account-key-file argument is set appropriately
    • Ensure the --etcd-certfile and --etcd-keyfile arguments are set appropriately
    • Ensure minimized wildcard use in Roles and ClusterRoles
    • Ensure ClusterRoles that grant control over validating or mutating admission webhook configurations are minimized
    • Ensure ClusterRoles that grant permissions to approve CertificateSigningRequests are minimized
    • Ensure Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings are minimized
    • Ensure Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRole are minimized
    • Prevent NGINX Ingress annotation snippets which contain LUA code execution
    • Prevent All NGINX Ingress annotation snippets
    • Prevent NGINX Ingress annotation snippets which contain alias statements
    • RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding
    • Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation
    • No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts
    • ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster
    • No ServiceAccount/Node should be able to read all secrets

Azure Policies

  • Azure Policy Index
  • General Policies
    • Ensure Azure VM data disk is encrypted with ADE/CMK
    • Ensure Azure App Service Web app authentication is On
    • Ensure a security contact phone number is present
    • Ensure Send email notification for high severity alerts is enabled
    • Ensure Send email notification for high severity alerts to admins is enabled
    • Ensure Azure SQL Server threat detection alerts are enabled for all threat types
    • Ensure Azure SQL server send alerts to field value is set
    • Ensure MSSQL servers have email service and co-administrators enabled
    • Ensure standard pricing tier is selected
    • Ensure all keys have an expiration date
    • Ensure Azure key vault is recoverable
    • Ensure a retention period of less than 90 days is specified
    • Ensure Azure Linux scale set uses an SSH key
    • Ensure Virtual Machine extensions are not installed
    • Ensure FTP Deployments are disabled
    • Ensure PostgreSQL server enables geo-redundant backups
    • Ensure key vault key is backed by HSM
    • Ensure MariaDB server enables geo-redundant backups
    • Ensure My SQL server enables geo-redundant backups
    • Ensure Virtual Machines are backed up using Azure backup
    • Ensure Cosmos DB accounts have customer-managed keys to encrypt data at rest
    • Ensure Data Lake Store accounts enable encryption
    • Ensure PostgreSQL server enables infrastructure encryption
    • Ensure Automation account variables are encrypted
    • Ensure Azure Data Explorer uses disk encryption
    • Ensure Azure Data Explorer uses double encryption
    • Ensure Azure Batch account uses key vault to encrypt data
    • Ensure managed disks use a specific set of disk encryption sets for customer-managed key encryption
    • Ensure MySQL server enables infrastructure encryption
    • Ensure Azure Data Factory uses Git repository for source control
    • Ensure key vault enables purge protection
    • Ensure key vault enables soft-delete
    • Ensure key vault secrets have content_type set
    • Ensure My SQL server enables Threat Detection policy
    • Ensure PostgreSQL server enables Threat Detection policy
    • Ensure Azure Security Center Defender is set to On for servers
    • Ensure Azure function app authentication is on
    • Ensure CORS disallows resource to access app services
    • Ensure security contact emails are set
    • Ensure Azure Security Center Defender is set to On for app service
    • Ensure CORS does not allow resources to access function apps
    • Ensure function app uses the latest HTTP version
    • Ensure Azure Security Center Defender is set to On for Azure SQL database servers
    • Ensure managed identity provider is enabled for app services
    • Ensure remote debugging is not enabled for app services
    • Ensure Azure Defender is set to On for SQL servers on machines
    • Ensure Azure App Service Web app uses the latest .Net Core version
    • Ensure Azure App Service Web app uses the latest PHP version
    • Ensure Azure App Service Web app uses the latest Python version
    • Ensure Azure App Service Web app uses the latest Java version
    • Ensure Azure Security Center Defender is set to On for storage
    • Ensure Azure Security Center Defender is set to On for Kubernetes
    • Ensure Azure Defender is set to On for container registries
    • Ensure Azure Security Center Defender set to On for Key Vault
    • Ensure app services use Azure files
    • Ensure Virtual Machines are utilizing managed disks
    • Ensure automatic OS image patching is enabled for Virtual Machine scale sets
    • Ensure Microsoft Antimalware is configured to automatically update Virtual Machines
    • Ensure SQL servers enable data security policy
    • Ensure Azure SQL server ADS Vulnerability Assessment is enabled
    • Ensure Azure SQL server ADS Vulnerability Assessment Periodic recurring scans is enabled
    • Ensure Azure SQL server ADS VA Send scan reports to is configured
    • Ensure Azure SQL server ADS VA Also send email notifications to admins and subscription owners is enabled
    • Ensure SQL servers have Azure Active Directory admin configured
    • Ensure Azure Virtual Machines are utilizing managed disks
    • Ensure Virtual Machine scale sets have encryption at host enabled
    • Ensure storage for critical data are encrypted with CMKs
    • Ensure Azure Data Explorer encryption at rest uses a customer-managed key
    • Ensure unattached disks are encrypted
    • Ensure Azure data factories are encrypted with a customer-managed key
    • Ensure MySQL server enables customer-managed key for encryption
    • Ensure PostgreSQL server enables customer-managed key for encryption
    • Ensure Azure storage account encryption CMKs are enabled
    • Ensure MSSQL is using the latest version of TLS encryption
    • Ensure MySQL is using the latest version of TLS encryption
    • Ensure that Active Directory is used for Service Fabric authentication
    • Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
    • Ensure that Service Fabric uses available three levels of protection available
    • Ensure Azure resources that support tags have Tags
    • Ensure Cognitive Services account encryption CMKs are enabled
    • Ensure Azure Virtual machine does not enable password authentication
    • Ensure Azure PostgreSQL Flexible Server enables geo-redundant backups
    • Ensure Azure data exfiltration protection for Azure Synapse workspace is enabled
    • Ensure Azure Client Certificates are enforced for API management
    • Ensure Azure Cognitive Services enables Customer Managed Keys (CMKs) for encryption
    • Ensure Azure built-in logging for Azure function app is enabled
    • Ensure Azure SQL Server has default auditing policy configured
  • IAM Policies
    • Ensure App Service is registered with an Azure Active Directory account
    • Ensure Azure subscriptions with custom roles have minimum permissions
    • Ensure Azure Kubernetes Service (AKS) local admin account is disabled
    • Ensure Azure ACR admin account is disabled
    • Ensure Azure Windows VM enables encryption
    • Ensure Azure CosmosDB has Local Authentication disabled
    • Ensure Azure Machine Learning Compute Cluster Local Authentication is disabled
    • Ensure Azure ACR disables anonymous image pulling
  • Kubernetes Policies
    • Ensure Azure AKS cluster monitoring is enabled
    • Ensure Azure AKS enable RBAC is enforced
    • Ensure AKS API server defines authorized IP ranges
    • Ensure AKS cluster network policies are enforced
    • Ensure Kubernetes dashboard is disabled
    • Ensure AKS enables private clusters
    • Ensure AKS uses Azure policies add-on
    • Ensure AKS uses disk encryption set
  • Logging Policies
    • Ensure Azure Network Watcher NSG flow logs retention is greater than 90 days
    • Ensure Azure SQL server auditing is enabled
    • Ensure Azure SQL server audit log retention is greater than 90 days
    • Ensure storage logging for queue service has read, write, and delete requests enabled
    • Ensure activity log retention is set to 365 days or greater
    • Ensure log profile is configured to capture all activities
    • Ensure Azure storage account logging for tables is enabled
    • Ensure app service enables HTTP logging
    • Ensure app service enables detailed error messages
    • Ensure app service enables failed request tracing
    • Ensure Azure storage account logging for blobs is enabled
    • Ensure the storage container storing activity logs is not publicly accessible
  • Networking Policies
    • Ensure Azure instance authenticates using SSH keys
    • Ensure RDP Internet access is restricted
    • Ensure SSH Internet access is restricted
    • Ensure SQL databases do not allow ingress from 0.0.0.0/0
    • Ensure Azure App Service Web app redirects HTTP to HTTPS
    • Ensure Web App uses the latest version of TLS encryption
    • Ensure Web App has incoming client certificates enabled
    • Ensure Web App uses the latest version of HTTP
    • Ensure MySQL server databases have Enforce SSL connection enabled
    • Ensure Azure PostgreSQL database server with SSL connection is enabled
    • Ensure Azure PostgreSQL database server with log checkpoints parameter is enabled
    • Ensure Azure PostgreSQL database server with log connections parameter is enabled
    • Ensure Azure PostgreSQL database server with connection throttling parameter is enabled
    • Ensure public access level for Blob Containers is set to private
    • Ensure Azure Storage Account default network access is set to Deny
    • Ensure Azure Storage Account Trusted Microsoft Services access is enabled
    • Ensure MariaDB servers have Enforce SSL connection enabled
    • Ensure that Storage accounts disallow public access
    • Ensure storage accounts have secure transfer enabled
    • Ensure PostgreSQL server disables public network access
    • Ensure function apps are only accessible over HTTPS
    • Ensure UDP Services are restricted from the Internet
    • Ensure Azure cache for Redis has public network access disabled
    • Ensure only SSL are enabled for cache for Redis
    • Ensure Azure container container group is deployed into a virtual network
    • Ensure Cosmos DB accounts have restricted access
    • Ensure Azure Synapse workspaces have no IP firewall rules attached
    • Ensure Azure Cosmos DB disables public network access
    • Ensure Azure Data factory public network access is disabled
    • Ensure Azure Event Grid domain public network access is disabled
    • Ensure API management services use virtual networks
    • Ensure Azure IoT Hub disables public network access
    • Ensure key vault allows firewall rules settings
    • Ensure SQL server disables public network access
    • Ensure Azure virtual machine NIC has IP forwarding disabled
    • Ensure network interfaces do not use public IPs
    • Ensure Azure application gateway has WAF enabled
    • Ensure Azure front door has WAF enabled
    • Ensure application gateway uses WAF in Detection or Prevention modes
    • Ensure Azure front door uses WAF in Detection or Prevention modes
    • Ensure Azure Cognitive Search disables public network access
    • Ensure Azure file sync disables public network access
    • Ensure Azure Synapse Workspaces enable managed virtual networks
    • Ensure My SQL server disables public network access
    • Ensure 'public network access enabled' is set to False for mySQL servers
    • Ensure Front Door WAF prevents message lookup in Log4j2
    • Ensure Application Gateway WAF prevents message lookup in Log4j2
    • Ensure Cognitive Services disables public network access
    • Ensure Azure Databricks workspace is not public
    • Ensure Azure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot
    • Ensure Azure App's service slot uses the latest version of TLS encryption
    • Ensure Azure PostgreSQL uses the latest version of TLS encryption
    • Ensure Azure Machine Learning Workspace is not publicly accessible
    • Ensure Azure ACR is set to disable public networking
    • Ensure Azure Function app uses the latest version of TLS encryption
    • Ensure Azure Cognitive Services accounts disable public network access
    • Ensure Azure HTTP (port 80) access from the internet is restricted
    • Ensure Azure Spring Cloud API Portal Public Access is disabled
    • Ensure Azure Spring Cloud API Portal is enabled for HTTPS
    • Ensure Azure App service slot has debugging disabled
    • Ensure Azure Redis Cache uses the latest version of TLS encryption
    • Ensure Azure AKS cluster nodes do not have public IP addresses
  • Secrets Policies
    • Ensure AKV secrets have an expiration date set
    • Ensure secrets are not exposed in Azure VM customData
  • Storage Policies
    • Ensure Cosmos DB does not allow privileged escalation by restricting management plane changes
    • Ensure secure transfer required is enabled
    • Ensure storage account uses the latest version of TLS encryption
    • Ensure Storage Accounts adhere to the naming rules
  • Public Policies
    • Ensure MariaDB servers have public network access enabled set to False

Google Cloud Policies

  • Google Cloud Policy Index
  • General Policies
    • Ensure GCP VM disks are encrypted with CSEKs
    • Ensure boot disks for instances use CSEKs
    • Ensure compute instances launch with shielded VM enabled
    • Ensure GCP KMS encryption key is rotating every 90 days
    • Ensure incoming connections to Cloud SQL database instances use SSL
    • Ensure Cloud SQL database instances have backup configuration enabled
    • Ensure GCP BigQuery dataset is not publicly accessible
    • Ensure there are only GCP-managed service account keys for each service account
    • Ensure Cloud KMS cryptokeys are not anonymously or publicly accessible
    • Ensure GCP resources that support labels have Labels
    • Ensure GCP Memorystore for Redis has AUTH enabled
    • Ensure GCP Memorystore for Redis uses intransit encryption
    • Ensure GCP SQL database uses the latest Major version
    • Ensure GCP Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEKs)
    • Ensure GCP Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEKs)
    • Ensure GCP Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEKs)
    • Ensure GCP Vertex AI datasets use a Customer Manager Key (CMK)
    • Ensure GCP Vertex AI Metadata Store uses a Customer Manager Key (CMK)
    • Ensure GCP Pub/Sub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)
    • Ensure GCP Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)
    • Ensure GCP data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK)
    • Ensure GCP Artifact Registry repositories are encrypted with Customer Supplied Encryption Keys (CSEK)
    • Ensure GCP subnet has a private IP Google access
    • Ensure GCP Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)
    • Ensure GCP KMS keys are protected from deletion
    • Ensure GCP data fusion instances are private
    • Ensure GCP cloud build workers are private
    • Ensure GCP DataFusion has stack driver monitoring enabled
    • Ensure GCP Cloud storage has versioning enabled
    • Ensure GCP DataFusion has stack driver logging enabled
  • IAM Policies
    • Ensure instances do not use default Compute Engine service account
    • Ensure instances do not use default service account with full access to cloud APIs
    • Ensure IAM users are not assigned Service Account User or Service Account Token creator roles at project level
    • Ensure Service Account does not have admin privileges
    • Ensure roles do not impersonate or manage Service Accounts used at folder level
    • Ensure roles do not impersonate or manage Service Accounts used at organizational level
    • Ensure default Service Account is not used at project level
    • Ensure default Service Account is not used at organization level
    • Ensure default Service Account is not used at folder level
    • Ensure roles do not impersonate or manage Service Accounts used at project level
    • Ensure a MySQL database instance does not allow anyone to connect with administrative privileges
    • Ensure GCP Cloud KMS Key Rings are not anonymously or publicly accessible
  • Kubernetes Policies
    • Ensure Stackdriver logging on Kubernetes engine clusters is enabled
    • Ensure ABAC authorization on Kubernetes engine clusters is disabled
    • Ensure GCP Kubernetes engine clusters have stackdriver logging enabled
    • Ensure GCP Kubernetes cluster node auto-repair configuration is enabled
    • Ensure GCP Kubernetes cluster node auto-upgrade configuration is enabled
    • Ensure private cluster is enabled when creating Kubernetes clusters
    • Ensure GCP Kubernetes engine clusters have network policy enabled
    • Ensure client certificate authentication to Kubernetes Engine Clusters is disabled
    • Ensure PodSecurityPolicy controller is enabled on Kubernetes engine clusters
    • Ensure GKE control plane is not public
    • Ensure GCP Kubernetes engine clusters have basic authentication disabled
    • Ensure master authorized networks are enabled in GKE clusters
    • Ensure GCP Kubernetes engine clusters have label information
    • Ensure GCP Kubernetes engine clusters are using Container-Optimized OS for node image
    • Ensure Kubernetes clusters are created with alias IP ranges enabled
    • Ensure Kubernetes engine cluster nodes do not have default service account for project access
    • Ensure secure boot for shielded GKE nodes is enabled
    • Enable VPC flow logs and intranode visibility
    • Ensure GCP Kubernetes Engine Clusters are configured with private nodes feature
    • Ensure Kubernetes RBAC users are managed with Google Groups for GKE
    • Ensure binary authorization is used
    • Ensure GCP Kubernetes engine clusters have legacy compute engine metadata endpoints disabled
    • Ensure the GKE metadata server is enabled
    • Ensure shielded GKE nodes are enabled
    • Ensure integrity monitoring for shielded GKE nodes is enabled
    • Ensure the GKE Release Channel is set
  • Logging Policies
    • Ensure GCP VPC flow logs for the subnet is set to On
    • Ensure GCP log bucket retention policy is configured using bucket lock
    • Ensure GCP project audit logging is configured properly across all services and all users in a project
  • Networking Policies
    • Ensure GCP Firewall rule does not allow all traffic on SSH port 22
    • Ensure GCP Firewall rule does not allow all traffic on RDP port 3389
    • Ensure GCP HTTPS load balancer is not configured with SSL policy having TLS version 1.1 or lower
    • Ensure Cloud SQL database instances are not publicly accessible
    • Ensure GCP Cloud DNS has DNSSEC enabled
    • Ensure RSASHA1 is not used for Zone-Signing and Key-Signing Keys in Cloud DNS DNSSEC
    • Ensure default network does not exist in a project
    • Ensure GCP VM instances have block project-wide SSH keys feature enabled
    • Ensure GCP projects have OS login enabled
    • Ensure project instance does not override the project setting enabling OSLogin
    • Ensure GCP VM instances do not have serial port access enabled
    • Ensure IP forwarding on instances is disabled
    • Ensure GCP project is not configured with legacy network
    • Ensure Cloud Armor prevents message lookup in Log4j2
    • Ensure GCP Firewall rule does not allow all traffic on MySQL port 3306
    • Ensure GCP compute firewall ingress does not allow unrestricted MySQL access
    • Ensure GCP Private Google Access is enabled for IPV6
    • Ensure GCP Google compute firewall ingress does not allow unrestricted HTTP port 80 access
    • Ensure GCP Google compute firewall ingress does not allow FTP port (20) access
    • Ensure GCP Google compute firewall ingress does not allow unrestricted FTP access
    • Ensure GCP compute firewall ingress does not allow unrestricted access to all ports
    • Ensure GCP Cloud Function HTTP trigger is secured
    • Ensure GCP GCR Container Vulnerability Scanning is enabled
  • Public Policies
    • Ensure GCP storage buckets are not publicly accessible to all authenticated users
    • Ensure compute instances do not have public IPs
    • Ensure GCP BigQuery Tables are not anonymously or publicly accessible
    • Ensure GCP Dataflow jobs are private
    • Ensure GCP Vertex AI instances are private
    • Ensure GCP Dataproc cluster is not anonymously or publicly accessible
    • Ensure GCP Cloud KMS cryptokey is not anonymously or publicly accessible
    • Ensure GCP Cloud Run services are not anonymously or publicly accessible
    • Ensure GCP Pub/Sub Topic is not anonymously or publicly accessible
    • Ensure GCP Artifact Registry repositories are not anonymously or publicly accessible
    • Ensure GCP Container Registry repositories are not anonymously or publicly accessible
    • Ensure GCP Dataproc Clusters do not have public IPs
  • Google Cloud Storage Policies
    • Ensure Google storage buckets are encrypted
    • Ensure GCP cloud storage bucket with uniform bucket-level access are enabled
    • Ensure bucket logs access
    • Ensure bucket does not log to itself
  • Cloud SQL Policies
    • Ensure GCP MySQL instance with local_infile database flag is disabled
    • Ensure Cloud SQL PostgreSQL instances have log_checkpoints database flag set to On
    • Ensure GCP PostgreSQL instance database flag log_connections is enabled
    • Ensure GCP PostgreSQL instance database flag log_disconnections is enabled
    • Ensure GCP PostgreSQL instance database flag log_lock_waits is enabled
    • Ensure GCP PostgreSQL instance database flag log_min_messages is set
    • Ensure GCP PostgreSQL instance database flag log_temp_files is set to 0
    • Ensure GCP PostgreSQL instance database flag log_min_duration_statement is set to -1
    • Ensure Cloud SQL SQL server instance database flag cross db ownership chaining is set to Off
    • Ensure Cloud SQL SQL server instance contained database authentication database flag is set to Off
    • Ensure Cloud SQL database instances do not have public IPs

Docker Policies

  • Docker Policy Index
    • Ensure port 22 is not exposed
    • Ensure healthcheck instructions have been added to container images
    • Ensure a user for the container has been created
    • Ensure update instructions are not used alone in a Dockerfile
    • Ensure Copy is used instead of Add in Dockerfiles
    • Ensure that LABEL maintainer is used instead of MAINTAINER (deprecated)
    • Ensure the base image uses a non latest version tag
    • Ensure the last USER is not root
    • Ensure Docker From alias is unique for multistage builds
    • Ensure Docker WORKDIR values are absolute paths
    • Ensure Docker APT is not used

Git Policies

  • Secrets Policy Index
    • Artifactory Credentials
    • AWS Access Keys
    • Azure Storage Account Access Keys
    • Basic Auth Credentials
    • Cloudant Credentials
    • Base64 High Entropy String
    • IBM Cloud IAM Key
    • IBM COS HMAC Credentials
    • JSON Web Token
    • Secret Keyword
    • Mailchimp Access Key
    • NPM Token
    • Private Key
    • Slack Token
    • SoftLayer Credentials
    • Square OAuth Secret
    • Stripe Access Key
    • Twilio Access Key
    • Hex High Entropy String
    • Ensure GitHub repository is private
    • Airtable API Key
    • Algolia API Key
    • Alibaba Cloud Keys
    • Asana Token
    • Atlassian Oauth2 Keys
    • Auth0 Token
    • Bitbucket Token
    • Buildkite Agent Token
    • CircleCI Personal Token
    • Codecov API key
    • Coinbase Keys
    • Confluent Keys
    • Databricks Authentication Token
    • DigitalOcean Token
    • Discord Token
    • Doppler API Key
    • DroneCI Token
    • Dropbox App Credentials
    • Dynatrace Token
    • Elastic Email Key
    • Fastly Personal Token
    • FullStory API Key
    • GitHub Token
    • GitLab Token
    • Google Cloud Keys
    • Grafana Token
    • Terraform Cloud API Token
    • Heroku Platform Key
    • HubSpot API Key
    • Intercom Access Token
    • Jira Token
    • LaunchDarkly Personal Token
    • Netlify Token
    • New Relic Key
    • Notion Integration Token
    • Okta Token
    • PagerDuty Authorization Token
    • PlanetScale Token
    • Postman API Key
    • Pulumi Access Token
    • Python Package Index Key
    • RapidAPI Key
    • Readme API Key
    • RubyGems API Key
    • Sentry Token
    • Splunk User Credentials
    • Sumo Logic Keys
    • Telegram Bot Token
    • Travis Personal Token
    • Typeform API Token
    • Vault Unseal Key
    • Yandex Predictor API key
    • Cloudflare API Credentials
    • Vercel API Token
    • Webflow API Token
    • Scalr API Token
    • MongoDB Connection String
    • GCP Service Account Auth Key
    • Random string entropy detector
    • Braintree Payments Key
    • AWS MWS Auth Token
    • Paypal Token ID
    • Paypal Token Key
    • Braintree Payments ID
    • Braintree Access Token

OCI Policies

  • Compute Policies
    • Ensure OCI Compute Instance boot volume has in-transit data encryption enabled
    • Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled
  • Secrets Policies
    • Ensure no hard coded OCI private key in provider
  • Storage Policies
    • Ensure OCI Block Storage Block Volume has backup enabled
    • Ensure OCI Block Storage Block Volumes are encrypted with a Customer Managed Key (CMK)
    • Ensure OCI Object Storage bucket can emit object events
    • Ensure OCI Object Storage has versioning enabled
    • Ensure OCI Object Storage is encrypted with Customer Managed Key
    • Ensure OCI Object Storage is not Public
    • Ensure OCI File System is Encrypted with a customer Managed Key
  • Logging Policies
    • Ensure OCI Compute Instance has monitoring enabled
  • Networking Policies
    • Ensure VCN has an inbound security list
    • Ensure VCN inbound security lists are stateless
    • Ensure OCI security list does not allow ingress from 0.0.0.0/0 to port 3389
    • Ensure OCI security groups rules do not allow ingress from 0.0.0.0/0 to port 22
    • Ensure OCI security list does not allow ingress from 0.0.0.0/0 to port 22
    • Ensure OCI security group has stateless ingress security rules
  • IAM Policies
    • Ensure OCI IAM password policy contains lowercase characters
    • Ensure OCI IAM password policy contains numeric characters
    • Ensure OCI IAM password policy contains symbols
    • Ensure OCI IAM password policy contains uppercase characters
    • Ensure OCI IAM password policy has a minimum length of 14 characters

Alibaba Policies

  • Alibaba Policy Index
  • General Policies
    • Ensure Alibaba Cloud OSS bucket has Transfer Acceleration disabled
    • Ensure Alibaba Cloud OSS bucket is encrypted with Customer Master Key
    • Ensure Alibaba Cloud OSS bucket has versioning enabled
    • Ensure Alibaba Cloud Disk is encrypted with Customer Master Key
    • Ensure Alibaba Cloud OSS bucket is not public
    • Ensure Alibaba Cloud Disk is encrypted
    • Ensure Alibaba Cloud database instance is not public
    • Ensure Alibaba RDS instance has log_connections enabled
    • Ensure Alibaba Cloud RDS instance has log_duration enabled
    • Ensure Alibaba Cloud RDS instance has log_disconnections enabled
    • Ensure Alibaba Cloud launch template data disks are encrypted
    • Ensure Alibaba Cloud RDS instance is set to perform auto upgrades for minor versions
    • Ensure Alibaba Cloud KMS Key Rotation is enabled
    • Ensure Alibaba Cloud RDS log audit is enabled
    • Ensure Alibaba Cloud MongoDB has transparent data encryption enabled
  • IAM Policies
    • Ensure Alibaba Cloud RAM password policy requires at least one uppercase letter
    • Ensure Alibaba Cloud RAM password policy requires at least one number
    • Ensure Alibaba Cloud RAM password policy requires minimum length of 14 or greater
    • Ensure Alibaba Cloud RAM Account maximal login attempts is less than 5
    • Ensure Alibaba Cloud RAM password policy prevents password reuse
    • Ensure Alibaba Cloud RAM password policy requires at least one symbol
    • Ensure Alibaba Cloud RAM password policy requires at least one lowercase letter
    • Ensure Alibaba Cloud RAM password policy expires passwords within 90 days or less
    • Ensure Alibaba Cloud RAM enforces MFA
  • Kubernetes Policies
    • Ensure Alibaba Cloud Kubernetes installs plugin Terway or Flannel to support standard policies
    • Ensure Alibaba Cloud Kubernetes node pools are set to auto repair
  • Logging Policies
    • Ensure Alibaba Cloud Transparent Data Encryption is Enabled on instance
    • Ensure Alibaba Cloud OSS bucket has access logging enabled
    • Ensure Alibaba Cloud RDS Instance SQL Collector Retention Period should be greater than 180
    • Ensure Alibaba Cloud Action Trail Logging for all regions
    • Ensure Alibaba Cloud Action Trail Logging for all events
  • Networking Policies
    • Ensure no Alibaba Cloud security groups allow ingress from 0.0.0.0:0 to port 3389
    • Ensure no Alibaba Cloud security groups allow ingress from 0.0.0.0:0 to port 22
    • Ensure Alibaba Cloud RDS instance uses SSL
    • Ensure Alibaba Cloud API Gateway API Protocol uses HTTPS
    • Ensure Alibaba Cloud Cypher Policy is secured
    • Ensure Alibaba Cloud MongoDB instance uses SSL
    • Ensure Alibaba cloud ALB ACL restricts public access
    • Ensure Alibaba Cloud MongoDB instance is not public
    • Ensure Alibaba Cloud MongoDB is deployed inside a VPC

Bridgecrew Policies

  • General
  • Ensure no hard coded API token exist in the provider
  • Open source vulnerabilities
  • Open Source package License Compliance
  • Open Source Package Unknown License

Open Source Policies

  • Supported Language Index
    • Docker
    • Go
    • HCL
    • Java
    • JavaScript
    • Kotlin
    • Python
    • Ruby
    • YAML

Build Integrity Policies

  • GitHub Policies
    • Ensure GitHub organization security settings require 2FA
    • Ensure GitHub organization security settings require SSO
    • Ensure GitHub organization security settings has IP allow list enabled
    • Ensure GitHub branch protection rules requires signed commits
    • Ensure GitHub pull requests have at least 2 approvals
    • Ensure GitHub repository webhooks use HTTPs
    • Ensure GitHub branch protection rules requires linear history
    • Ensure the GitHub repository has at least 2 admins set
    • Ensure GitHub branch protection rules are enforced on administrators
    • Ensure GitHub organization webhooks use HTTPs
    • Ensure GitHub repository is Private
    • Ensure GitHub repository has vulnerability alerts enabled
    • Ensure GitHub Actions secrets are encrypted
    • Ensure GitHub branch protection dismisses stale review on new commit
    • Ensure GitHub branch protection restricts who can dismiss PR reviews
    • Ensure GitHub branch protection requires CODEOWNER reviews
    • Ensure GitHub branch protection requires status checks
    • Ensure GitHub branch protection requires conversation resolution
    • Ensure GitHub branch protection requires push restrictions
    • Ensure GitHub branch protection rules does not allow deletions
  • GitLab Policies
    • Ensure all Gitlab groups require two factor authentication
    • Ensure Gitlab branch protection rules do not allow force pushes
    • Ensure Gitlab project merge requests has at least 2 approvals
    • Ensure Gitlab project prevents secrets
    • Ensure GitLab projects commits are signed
  • GitHub Actions Policies
    • Ensure GitHub ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables
    • Ensure Github run commands are not vulnerable to shell injection
    • Suspicious use of curl with secrets
    • Suspicious use of netcat with IP address
    • Ensure GitHub Actions artifact build has cosign - sign execution in pipeline
    • Ensure GitHub Actions artifact build has SBOM attestation in pipeline
    • Ensure GitHub Actions does not contain workflow_dispatch inputs parameters
  • Bitbucket Policies
    • Ensure BitBucket pull requests require at least 2 approvals
  • GitLab CI Policies
    • Suspicious use of curl with CI environment variables in script
    • Avoid creating rules that generate double pipelines
  • Azure Pipelines Policies
    • Ensure container job uses a non latest version tag
    • Ensure container job uses a version digest
    • Ensure set variable is not marked as a secret

OpenStack Policies

  • Ensure OpenStack firewall rule has destination IP configured
  • Ensure OpenStack instance does not use basic credentials
  • Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp)

API Policies

  • OpenAPI Policies
    • Ensure that securityDefinitions is defined and not empty
    • Ensure that if the security scheme is not of type 'oauth2', the array value must be empty
    • Ensure that security schemes don't allow cleartext credentials over unencrypted channel
    • Ensure that the global security field has rules defined
    • Ensure that security operations is not empty
    • Ensure that security requirement defined in securityDefinitions

Integrate with Code Repositories

Suggest Edits

Integrating with Code Repositories allows Bridgecrew Cloud to:
Scan Infrastructure-as-Code files in your code repositories (in addition to scanning your runtime environments).
Generate Pull Requests with proposed fixes when you choose to Remediate buildtime Incidents.

Currently, Bridgecrew integrates with:

  • GitHub.com
  • Bitbucket
  • GitLab Self-Managed
  • GitLab
  • GitHub Server
  • Bitbucket Server
  • Azure Repos

Updated over 1 year ago